1. Field of the Invention:
The present invention relates to a method and apparatus for verifying the identity of an individual by examining keystroke characteristics of the individual. The present invention is applicable to any type of system in which access to the system is desired to be limited to authorized users.
2. Discussion of the Background:
It is often desired to have a secure system in which only authorized users are able to access the system. One way to control access to a system is to assign to a person a password which upon entering into the system, allows access. However, a problem with such a system is that unauthorized users often discover a person's password. Therefore, a more secure method of permitting access to a system would be to base the decision of whether to allow a person access to the system using physical characteristics of the person which are impossible or very difficult to copy. Such systems might use a palm or finger print, retina scan, or other physical feature of a person. However, the use of finger or palm prints may not be very secure in that such systems are prone to deception by pressing a photographic or xerographic image of the physical feature onto the device attempting to verify an individual's identity. A further problem with such systems is that they require additional expensive hardware.
Research has been performed which indicates that the way an individual types is unique to that person and has been called a personal and physical attribute (see Forsen et al., "Personal Attributes Authentication Techniques", Rome Air Development Center Report RADC-TR-77-1033 (1977)). U.S. Pat. No. 4,805,222 issued to Young et al. discloses a system for verifying the identity of an individual based on keystroke dynamics. Young et al. create a template of a user's keystroke characteristics by creating a Euclidean vector in n-space. When a user is subsequently trying to gain access to the system, the user types a text passage and an Euclidean vector in n-space is created. This vector is compared to a vector corresponding to the template and if the Euclidean distance between the vectors is small enough, the user is allowed access to the system. U.S. Pat. No. 4,621,334, issued to Garcia operates in a similar manner but uses a Mahalanobis distance function to determine the distance between the constructed vectors.
However, a problem with previous systems which use keystroke characteristics for verifying a user's identity is that either they require a large number of keystrokes to determine if the user is authorized, or on the other hand, use a small number of keystrokes but the results produced by the system are not acceptable. For example, Forsen et al. suggest that typing names alone would not provide enough information to make a good identification. Gaines, Lisowski, Press and Shapiro in "Authentication by Keystroke Timing: Some Preliminary Results" (1980) RAND report R-2526-NSF, found that approximately one page of text does not provide certainty for identification. Leggett, Williams and Umpress in "Identity Verification Through Keyboard Characteristics" from International Journal of Man-Machine Studies, 35 pp. 859-870 (1988), used a 537 character test to yield an imposter pass rate (IPR) of 5.0% and a false alarm rate (FAR) of 5.5%.